Opinion: An Underwriters Laboratories for cybersecurity is long overdue
The security community on Twitter had as many accolades as questions after well-known researcher Peiter Zatko, aka Mudge,聽announced he was leaving Google to launch a project with some support 鈥 at least in spirit 鈥 from the White House.聽
But, no, it doesn't look like he's actually聽forming a government agency.
Mudge didn't reply to an e-mail to clarify what the new endeavor is all about. Even so, the notion that a so-called CyberUL 鈥 the cybersecurity version of the聽, or UL聽鈥 is in the works should be news that everyone in the security community and, well, anyone who cares about safeguarding digital wares should celebrate.聽
Originally, the UL aimed to help prevent fires started by electrical circuits,聽reducing聽the cost to insurance companies.聽It has since become an internationally recognized authority on safety and technology and provides an earned level of trust between customers and manufacturers.聽As a result, billions of products have made it to market and benefited society in immeasurable ways. Its success is why聽an encircled "UL" has become a ubiquitous symbol on most consumer products.
To have a similar organization test the cybersecurity of hardware and software devices 鈥 especially with the rise of the Internet of Things 鈥 would go a long way toward a more secure world.聽The actual UL has also begun efforts to develop security testing for software in an effort that is expected to expand.聽
A CyberUL obviously won鈥檛 prevent all security breaches, though. The UL hasn鈥檛 prevented all electrical fires, either. But if executed properly, a CyberUL should raise the cybersecurity bar considerably. At the very least, it should allow businesses and consumers to evaluate their risk when shopping for hardware and software devices.
While this is a relevant and needed idea, it isn't new.聽Karl Kasper, aka Tan,聽聽in 1999 about how he envisioned a similar effort modeled after the UL.聽
Both Tan and Mudge were members of the聽storied hacker think tank where he, along with other L0pht members (including myself), pioneered work on vulnerabilities and deconstructing Microsoft Windows security problems.
Mudge went on to take charge of the聽Cyber FastTrack initiative at the Defense Advanced Research Projects Agency (DARPA) that helped聽fund numerous cybersecurity projects. After DARPA, he joined Google where he helped launch the company's Project Vault, which helps enable secure communications and storage on Secure Digital memory cards.
Mudge鈥檚 tweet on Monday announcing his Google departure didn鈥檛 offer much detail. There was no accompanying press release and Mudge hasn鈥檛 elaborated on the tweet publicly 鈥 yet.
Still, a CyberUL approach to cybersecurity already seems to have the backing of the Obama administration.聽White House cybersecurity coordinator Michael Daniel聽 last April "a nonprofit consortium that would rate products" was "very intriguing."
But聽beginning a new organization to accomplish this goal 鈥 especially inside the government 鈥 won't be easy. The complexity and reach of security is gargantuan, and trying to shoehorn that into a single standards organization will take considerable effort.聽Still, nothing yet has brought the UL model to cybersecurity in a fully inclusive way. With his experience at DARPA and Google, as well as credibility with the security research community, Mudge might just be the right person to pull it off.聽
C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter聽.
